其他内容过滤条件的设置代码

技术支持

企业产品

Kaspersky Secure Mail Gateway

附录

审核事件记录中的规则设置代码

其他内容过滤条件的设置代码

2024年12月12日

ID 287393

如果在事件日志设置中启用了审核事件和修改设置的日志记录，则当“内容过滤”模块中的附件的类型和名称设置被编辑时，有关更改的详细信息会记录在审核日志事件中。

下表显示了审核日志记录中除附件类型和名称之外的所有属性的条件设置是如何编码的。

审核事件记录中的常规条件设置代码

“内容过滤”模块中的条件设置	审核事件记录中的代码	示例
“条件”表中的“状态”拨动开关	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>,<message attribute>}.enable` 可能的值： `true`，如果启用了条件。 `false`，如果禁用了条件。当条件创建时，切换开关会自动启用，并记录相应的审核事件。	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.enable[][true]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.messageAttribute[][Subject]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.enable[true][false]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, From}.enable[false][]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, From}.messageAttribute[From][]` `scanSettings.cfScanSettings.expressions{1, Some expression 2 name}.conditions{2, To}.Index[2][1]` `scanSettings.cfScanSettings.expressions{1, Some expression 3 name}.conditions{3, Cc}.Index[3][2]` 修改的条件中的消息属性： `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.messageAttribute[Subject][]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.enable[true][]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.Index[1][]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Body}.messageAttribute[][Body]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Body}.enable[][true]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Body}.Index[][1]`
条件的序列号内部设置，不显示在 Web 界面上。	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.Index` 当列表中其他条件所参照的条件被删除时，会记录此设置。
邮件属性	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, <message attribute>}.` `messageAttribute` 消息属性可能的值： `AttachmentFormat` `AttachmentName` `MessageSize` `主题` `正文` `标题` `发件人` `收件人` `抄送` 修改条件中的消息属性将被记录为删除具有旧消息属性的条件并创建具有新消息属性的新条件。

“内容过滤”模块中的条件设置

审核事件记录中的代码

示例

“条件”表中的“状态”拨动开关

scanSettings.cfScanSettings.expressions
{<expression number>, <expression name>}.
conditions{<condition number>,<message attribute>}.enable

可能的值：

true，如果启用了条件。
false，如果禁用了条件。

当条件创建时，切换开关会自动启用，并记录相应的审核事件。

创建的条件：

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.enable[][true]

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.messageAttribute[][Subject]

修改的条件：

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.enable[true][false]

删除的条件：

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, From}.enable[false][]

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, From}.messageAttribute[From][]

scanSettings.cfScanSettings.expressions{1, Some expression 2 name}.conditions{2, To}.Index[2][1]

scanSettings.cfScanSettings.expressions{1, Some expression 3 name}.conditions{3, Cc}.Index[3][2]

修改的条件中的消息属性：

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.messageAttribute[Subject][]

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.enable[true][]

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Subject}.Index[1][]

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Body}.messageAttribute[][Body]

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Body}.enable[][true]

scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1, Body}.Index[][1]

条件的序列号

内部设置，不显示在 Web 界面上。

scanSettings.cfScanSettings.expressions
{<expression number>, <expression name>}.Index

当列表中其他条件所参照的条件被删除时，会记录此设置。

邮件属性

scanSettings.cfScanSettings.expressions
{<expression number>, <expression name>}.
conditions{<condition number>, <message attribute>}.
messageAttribute

消息属性可能的值：

AttachmentFormat
AttachmentName
MessageSize
主题
正文
标题
发件人
收件人
抄送

修改条件中的消息属性将被记录为删除具有旧消息属性的条件并创建具有新消息属性的新条件。

审计事件记录中发件人、收件人、抄送、主题和正文属性的条件设置代码

发件人、收件人、抄送、主题或正文属性的条件设置	审核事件记录中的代码	示例
标准	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, <` `message attribute>}.<message attribute>.` `conditionType` 可能的值： `InList`，如果选择了“附件类型至少匹配下面列出的一个项目”。 `NotInList`，如果选择了“附件类型不匹配下面列出的任何项目”。对于发件人、收件人、抄送属性，以下值也是有效的： `IsEmpty`，如果选择了“发件人列表为空”。 `IsNotEmpty`，如果选择了“发件人列表不为空”。	创建的条件： `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.conditions{1,` `From}.from.conditionType[][InList`] 修改的条件： `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.conditions{1,` `From}.from.conditionType[InList][NotInList]` 删除的条件： `scanSettings.cfScanSettings.expressions{1,` `Some expression name}.conditions{1,` `From}.from.conditionType[NotInList][]`
文本	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, <` `message attribute>}.<message attribute>.` `inlineValues.textList`	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.` `from.inlineValues.textList.Added[Abc Def]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.` `from.inlineValues.textList.Added[Ghi Xyz]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.` `from.inlineValues.textList.Removed[Def]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.` `from.inlineValues.textList.Removed[Abc Ghi Xyz]`
通配符	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, <` `message attribute>}.<message attribute>.` `inlineValues.wildcardList`	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.wildcardList.Added[%2A@some_mail.com]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.wildcardList.Added[%2A@another_mail.com]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.wildcardList.Removed[%2A@some_mail.com]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.wildcardList.Removed[%2A@another_mail.com]`
正则表达式	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, <` `message attribute>}.<message attribute>.` `inlineValues.regexList`	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.` `from.inlineValues.regexList.Added[X-KSMG.+]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.regexList.Added[X-MS.+]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.regexList.Removed[X-KSMG.+]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.regexList.Removed[X-MS.+]`
词典	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, <` `message attribute>}.<message attribute>.` `dictionaries` 该记录将包含已连接或已断开连接的词典的 ID。	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `dictionaries.Added[1 2]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `dictionaries.Added[3]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `dictionaries.Removed[1]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `dictionaries.Removed[2 3]`

审核事件记录中“标头”属性的条件设置代码

“标头”属性的条件设置	审核事件记录中的代码	示例
标头名称	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, Header}.` `header.headerName`	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `headerName[][X-MS-Exchange-Abc]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `headerName[X-MS-Exchange-Abc][X-PT-Abc]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `headerName[X-PT-Abc][]`
标准	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, Header}.` `header.conditionType` 可能的值： `InList`，如果选择了“标头值至少包含下面列出的一个项目”。 `NotInList`，如果选择了“标头值不包含下面列出的任何项目”。	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `conditionType[][InList]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `matchingMode[][FullMatch]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `conditionType[InList][NotInList]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `matchingMode[FullMatch][SubstringMatch]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `conditionType[NotInList][]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `matchingMode[SubstringMatch][]`
条件的严格程度	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, Header}` `.header.matchingMode` 可能的值： `FullMatch`，如果选择了“值至少与一个项目匹配”。 `SubstringMatch`，如果选择了“值至少包括一个项目”。
文本	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, Header}.` `header.inlineValues.textList`	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `inlineValues.textList.Added[Abc Def]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `inlineValues.textList.Added[Ghi Xyz]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `inlineValues.textList.Removed[Def]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `inlineValues.textList.Removed[Abc Ghi Xyz]`
通配符	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, Header}.` `header.inlineValues.wildcardList`	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.wildcardList.Added[%2A@company_1.com` `%2A@company_2.com]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.wildcardList.Added[%2A@company_3.com` `%2A@company_4.com]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.wildcardList.Removed` `[%2A@company_2.com]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.wildcardList.Removed[%2A@company_1.com` `%2A@company_3.com %2A@company_4.com]`
正则表达式	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, Header}.` `header.inlineValues.regexList`	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.` `regexList.Added[.+@(1_company\|2_company)%5C.` `(com\|org\|info)]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.regexList.Added[.+@(1_company\|2_company)` `%5C.(com\|org\|io\|info)]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.regexList.Removed[.+@(1_company\|` `2_company)%5C.(com\|org\|info)]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1, From}.from.` `inlineValues.regexList.Removed[.+@(1_company\|` `2_company)%5C.(com\|org\|io\|info)]`
词典	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>, Header}.` `header.dictionaries` 该记录将包含已连接或已断开连接的词典的 ID。	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `dictionaries.Added[1 2]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `dictionaries.Added[3]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `dictionaries.Removed[1]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,Header}.header.` `dictionaries.Removed[2 3]`

审核事件记录中“邮件大小”属性的条件设置代码


“邮件大小”属性的条件设置	审核事件记录中的代码	示例
标准	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>,MessageSize}.` `messageSize.relation` 可能的值： `Less`，如果选择了“少于 (<>”。 `Greater`，如果选择了“大于 (>)”。	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `referenceSize[][500]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `relation[][Greater]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `referenceSize[500][10240]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `relation[Greater][Less]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `referenceSize[10240][]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `relation[Less][]`
大小	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>,MessageSize}.` `messageSize.referenceSize` 可能的值：非负整数。无论选择哪种计量单位，该数字都代表消息大小（以字节为单位）。
计量单位	该参数未被记录。

审核事件记录中“MIME 部分大小”属性的条件设置代码


“MIME 部分大小”属性的条件设置	审核事件记录中的代码	示例
标准	`scanSettings.cfScanSettings.expressions` `{<表达式编号>, <表达式名称>}.` `conditions{<表达式编号>,PartSize}.` `PartSize.relation` 可能的值： `Less`，如果选择了“少于 (<>”。 `Greater`，如果选择了“大于 (>)”。	创建的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `referenceSize[][500]` `scanSettings.cfScanSettings.expressions{1, Some expression name}.conditions{1,MessageSize}.messageSize.` `relation[][Greater]` 修改的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `referenceSize[500][10240]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `relation[Greater][Less]` 删除的条件： `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `referenceSize[10240][]` `scanSettings.cfScanSettings.expressions{1, Some` `expression name}.conditions{1,MessageSize}.messageSize.` `relation[Less][]`
大小	`scanSettings.cfScanSettings.expressions` `{<expression number>, <expression name>}.` `conditions{<condition number>,PartSize}.` `PartSize.referenceSize` 可能的值：非负整数。无论选择哪种计量单位，该数字都代表消息大小（以字节为单位）。
计量单位	该参数未被记录。

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company

Web and device controls. Data encryption. Centralized and convenient management from a single console.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

您觉得这篇文章有帮助吗？

我们可以做什么更好？

感谢您的反馈！你正在帮助我们进步。